1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
3 <refentry id="samba-tool.8">
6 <refentrytitle>samba-tool</refentrytitle>
7 <manvolnum>8</manvolnum>
8 <refmiscinfo class="source">Samba</refmiscinfo>
9 <refmiscinfo class="manual">System Administration tools</refmiscinfo>
10 <refmiscinfo class="version">&doc.version;</refmiscinfo>
15 <refname>samba-tool</refname>
16 <refpurpose>Main Samba administration tool.
22 <command>samba-tool</command>
23 <arg choice="opt">-h</arg>
24 <arg choice="opt">-W myworkgroup</arg>
25 <arg choice="opt">-U user</arg>
26 <arg choice="opt">-d debuglevel</arg>
27 <arg choice="opt">--v</arg>
32 <title>DESCRIPTION</title>
33 <para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle>
34 <manvolnum>7</manvolnum></citerefentry> suite.</para>
38 <title>OPTIONS</title>
43 <term>-h|--help</term>
45 Show this help message and exit
50 <term>--realm=REALM</term>
57 <term>--simple-bind-dn=DN</term>
59 DN to use for a simple bind
64 <term>--password=PASSWORD</term>
71 <term>-U USERNAME|--username=USERNAME</term>
78 <term>-W WORKGROUP|--workgroup=WORKGROUP</term>
85 <term>-N|--no-pass</term>
87 Don't ask for a password
92 <term>-k KERBEROS|--kerberos=KERBEROS</term>
99 <term>--ipaddress=IPADDRESS</term>
101 IP address of the server
105 &popt.common.samba.client;
111 <title>COMMANDS</title>
114 <title>computer</title>
115 <para>Manage computer accounts.</para>
119 <title>computer create <replaceable>computername</replaceable> [options]</title>
120 <para>Create a new computer in the Active Directory Domain.</para>
121 <para>The new computer name specified on the command is the
122 sAMAccountName, with or without the trailing dollar sign.</para>
126 <term>--computerou=COMPUTEROU</term>
128 DN of alternative location (with or without domainDN counterpart) to
129 default CN=Computers in which new computer object will be created.
135 <term>--description=DESCRIPTION</term>
137 The new computers's description.
142 <term>--ip-address=IP_ADDRESS_LIST</term>
144 IPv4 address for the computer's A record, or IPv6 address for AAAA record,
145 can be provided multiple times.
150 <term>--service-principal-name=SERVICE_PRINCIPAL_NAME_LIST</term>
152 Computer's Service Principal Name, can be provided multiple times.
157 <term>--prepare-oldjoin</term>
159 Prepare enabled machine account for oldjoin mechanism.
166 <title>computer delete <replaceable>computername</replaceable> [options]</title>
167 <para>Delete an existing computer account.</para>
168 <para>The computer name specified on the command is the
169 sAMAccountName, with or without the trailing dollar sign.</para>
173 <title>computer edit <replaceable>computername</replaceable></title>
174 <para>Edit a computer AD object.</para>
175 <para>The computer name specified on the command is the
176 sAMAccountName, with or without the trailing dollar sign.</para>
180 <term>--editor=EDITOR</term>
182 Specifies the editor to use instead of the system default, or 'vi' if no
183 system default is set.
190 <title>computer list</title>
191 <para>List all computers.</para>
195 <title>computer move <replaceable>computername</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
196 <para>This command moves a computer account into the specified
197 organizational unit or container.</para>
198 <para>The computername specified on the command is the
199 sAMAccountName, with or without the trailing dollar sign.</para>
200 <para>The name of the organizational unit or container can be
201 specified as a full DN or without the domainDN component.</para>
205 <title>computer show <replaceable>computername</replaceable> [options]</title>
206 <para>Display a computer AD object.</para>
207 <para>The computer name specified on the command is the
208 sAMAccountName, with or without the trailing dollar sign.</para>
212 <term>--attributes=USER_ATTRS</term>
214 Comma separated list of attributes, which will be printed.
221 <title>contact</title>
222 <para>Manage contacts.</para>
226 <title>contact create [<replaceable>contactname</replaceable>] [options]</title>
227 <para>Create a new contact in the Active Directory Domain.</para>
228 <para>The name of the new contact can be specified by the first
229 argument 'contactname' or the --given-name, --initial and --surname
230 arguments. If no 'contactname' is given, contact's name will be made
231 up of the given arguments by combining the given-name, initials and
232 surname. Each argument is optional. A dot ('.') will be appended to
233 the initials automatically.</para>
239 DN of alternative location (with or without domainDN counterpart) in
240 which the new contact will be created.
242 Default is the domain base.
247 <term>--description=DESCRIPTION</term>
249 The new contacts's description.
254 <term>--surname=SURNAME</term>
261 <term>--given-name=GIVEN_NAME</term>
263 Contact's given name.
268 <term>--initials=INITIALS</term>
275 <term>--display-name=DISPLAY_NAME</term>
277 Contact's display name.
282 <term>--job-title=JOB_TITLE</term>
289 <term>--department=DEPARTMENT</term>
291 Contact's department.
296 <term>--company=COMPANY</term>
303 <term>--mail-address=MAIL_ADDRESS</term>
305 Contact's email address.
310 <term>--internet-address=INTERNET_ADDRESS</term>
317 <term>--telephone-number=TELEPHONE_NUMBER</term>
319 Contact's phone number.
324 <term>--mobile-number=MOBILE_NUMBER</term>
326 Contact's mobile phone number.
331 <term>--physical-delivery-office=PHYSICAL_DELIVERY_OFFICE</term>
333 Contact's office location.
341 <title>contact delete <replaceable>contactname</replaceable> [options]</title>
342 <para>Delete an existing contact.</para>
343 <para>The contactname specified on the command is the common name or the
344 distinguished name of the contact object. The distinguished name of the
345 contact can be specified with or without the domainDN component.</para>
349 <title>contact edit <replaceable>contactname</replaceable></title>
350 <para>Modify a contact AD object.</para>
351 <para>The contactname specified on the command is the common name or the
352 distinguished name of the contact object. The distinguished name of the
353 contact can be specified with or without the domainDN component.</para>
357 <term>--editor=EDITOR</term>
359 Specifies the editor to use instead of the system default, or 'vi' if no
360 system default is set.
367 <title>contact list [options]</title>
368 <para>List all contacts.</para>
372 <term>--full-dn</term>
374 Display contact's full DN instead of the name.
381 <title>contact move <replaceable>contactname</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
382 <para>This command moves a contact into the specified organizational
383 unit or container.</para>
384 <para>The contactname specified on the command is the common name or the
385 distinguished name of the contact object. The distinguished name of the
386 contact can be specified with or without the domainDN component.</para>
390 <title>contact show <replaceable>contactname</replaceable> [options]</title>
391 <para>Display a contact AD object.</para>
392 <para>The contactname specified on the command is the common name or the
393 distinguished name of the contact object. The distinguished name of the
394 contact can be specified with or without the domainDN component.</para>
398 <term>--attributes=CONTACT_ATTRS</term>
400 Comma separated list of attributes, which will be printed.
407 <title>dbcheck</title>
408 <para>Check the local AD database for errors.</para>
412 <title>delegation</title>
413 <para>Manage Delegations.</para>
417 <title>delegation add-service <replaceable>accountname</replaceable> <replaceable>principal</replaceable> [options]</title>
418 <para>Add a service principal as msDS-AllowedToDelegateTo.</para>
422 <title>delegation del-service <replaceable>accountname</replaceable> <replaceable>principal</replaceable> [options]</title>
423 <para>Delete a service principal as msDS-AllowedToDelegateTo.</para>
427 <title>delegation for-any-protocol <replaceable>accountname</replaceable> [(on|off)] [options]</title>
428 <para>Set/unset UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (S4U2Proxy)
429 for an account.</para>
433 <title>delegation for-any-service <replaceable>accountname</replaceable> [(on|off)] [options]</title>
434 <para>Set/unset UF_TRUSTED_FOR_DELEGATION for an account.</para>
438 <title>delegation show <replaceable>accountname</replaceable> [options] </title>
439 <para>Show the delegation setting of an account.</para>
444 <para>Manage Domain Name Service (DNS).</para>
448 <title>dns add <replaceable>server</replaceable> <replaceable>zone</replaceable> <replaceable>name</replaceable> <replaceable>A|AAAA|PTR|CNAME|NS|MX|SRV|TXT</replaceable> <replaceable>data</replaceable></title>
449 <para>Add a DNS record.</para>
453 <title>dns delete <replaceable>server</replaceable> <replaceable>zone</replaceable> <replaceable>name</replaceable> <replaceable>A|AAAA|PTR|CNAME|NS|MX|SRV|TXT</replaceable> <replaceable>data</replaceable></title>
454 <para>Delete a DNS record.</para>
458 <title>dns query <replaceable>server</replaceable> <replaceable>zone</replaceable> <replaceable>name</replaceable> <replaceable>A|AAAA|PTR|CNAME|NS|MX|SRV|TXT|ALL</replaceable> [options] <replaceable>data</replaceable></title>
459 <para>Query a name.</para>
463 <title>dns roothints <replaceable>server</replaceable> [<replaceable>name</replaceable>] [options]</title>
464 <para>Query root hints.</para>
468 <title>dns serverinfo <replaceable>server</replaceable> [options]</title>
469 <para>Query server information.</para>
473 <title>dns update <replaceable>server</replaceable> <replaceable>zone</replaceable> <replaceable>name</replaceable> <replaceable>A|AAAA|PTR|CNAME|NS|MX|SRV|TXT</replaceable> <replaceable>olddata</replaceable> <replaceable>newdata</replaceable></title>
474 <para>Update a DNS record.</para>
478 <title>dns zonecreate <replaceable>server</replaceable> <replaceable>zone</replaceable> [options]</title>
479 <para>Create a zone.</para>
483 <title>dns zonedelete <replaceable>server</replaceable> <replaceable>zone</replaceable> [options]</title>
484 <para>Delete a zone.</para>
488 <title>dns zoneinfo <replaceable>server</replaceable> <replaceable>zone</replaceable> [options]</title>
489 <para>Query zone information.</para>
493 <title>dns zonelist <replaceable>server</replaceable> [options]</title>
494 <para>List zones.</para>
498 <title>domain</title>
499 <para>Manage Domain.</para>
503 <title>domain backup</title>
504 <para>Create or restore a backup of the domain.</para>
508 <title>domain backup offline</title>
509 <para>Backup (with proper locking) local domain directories into a tar file.</para>
513 <title>domain backup online</title>
514 <para>Copy a running DC's current DB into a backup tar file.</para>
518 <title>domain backup rename</title>
519 <para>Copy a running DC's DB to backup file, renaming the domain in the process.</para>
523 <title>domain backup restore</title>
524 <para>Restore the domain's DB from a backup-file.</para>
528 <title>domain classicupgrade [options] <replaceable>classic_smb_conf</replaceable></title>
529 <para>Upgrade from Samba classic (NT4-like) database to Samba AD DC
534 <title>domain dcpromo <replaceable>dnsdomain</replaceable> [DC|RODC] [options]</title>
535 <para>Promote an existing domain member or NT4 PDC to an AD DC.</para>
539 <title>domain demote</title>
540 <para>Demote ourselves from the role of domain controller.</para>
544 <title>domain exportkeytab <replaceable>keytab</replaceable> [options]</title>
545 <para>Dumps Kerberos keys of the domain into a keytab.</para>
549 <title>domain info <replaceable>ip_address</replaceable> [options]</title>
550 <para>Print basic info about a domain and the specified DC.
555 <title>domain join <replaceable>dnsdomain</replaceable> [DC|RODC|MEMBER|SUBDOMAIN] [options]</title>
556 <para>Join a domain as either member or backup domain controller.</para>
560 <title>domain level <replaceable>show|raise</replaceable> <replaceable>options</replaceable> [options]</title>
561 <para>Show/raise domain and forest function levels.</para>
565 <title>domain passwordsettings <replaceable>show|set</replaceable> <replaceable>options</replaceable> [options]</title>
566 <para>Show/set password settings.</para>
570 <title>domain passwordsettings pso</title>
571 <para>Manage fine-grained Password Settings Objects (PSOs).</para>
575 <title>domain passwordsettings pso apply <replaceable>pso-name</replaceable> <replaceable>user-or-group-name</replaceable> [options]</title>
576 <para>Applies a PSO's password policy to a user or group.</para>
580 <title>domain passwordsettings pso create <replaceable>pso-name</replaceable> <replaceable>precedence</replaceable> [options]</title>
581 <para>Creates a new Password Settings Object (PSO).</para>
585 <title>domain passwordsettings pso delete <replaceable>pso-name</replaceable> [options]</title>
586 <para>Deletes a Password Settings Object (PSO).</para>
590 <title>domain passwordsettings pso list [options]</title>
591 <para>Lists all Password Settings Objects (PSOs).</para>
595 <title>domain passwordsettings pso set <replaceable>pso-name</replaceable> [options]</title>
596 <para>Modifies a Password Settings Object (PSO).</para>
600 <title>domain passwordsettings pso show <replaceable>user-name</replaceable> [options]</title>
601 <para>Displays a Password Settings Object (PSO).</para>
605 <title>domain passwordsettings pso show-user <replaceable>pso-name</replaceable> [options]</title>
606 <para>Displays the Password Settings that apply to a user.</para>
610 <title>domain passwordsettings pso unapply <replaceable>pso-name</replaceable> <replaceable>user-or-group-name</replaceable> [options]</title>
611 <para>Updates a PSO to no longer apply to a user or group.</para>
615 <title>domain provision</title>
616 <para>Promote an existing domain member or NT4 PDC to an AD DC.</para>
620 <title>domain trust</title>
621 <para>Domain and forest trust management.</para>
625 <title>domain trust create <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
626 <para>Create a domain or forest trust.</para>
630 <title>domain trust delete <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
631 <para>Delete a domain trust.</para>
635 <title>domain trust list <replaceable>options</replaceable> [options]</title>
636 <para>List domain trusts.</para>
640 <title>domain trust namespaces [<replaceable>DOMAIN</replaceable>] <replaceable>options</replaceable> [options]</title>
641 <para>Manage forest trust namespaces.</para>
645 <title>domain trust show <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
646 <para>Show trusted domain details.</para>
650 <title>domain trust validate <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
651 <para>Validate a domain trust.</para>
656 <para>Manage Directory Replication Services (DRS).</para>
660 <title>drs bind</title>
661 <para>Show DRS capabilities of a server.</para>
665 <title>drs kcc</title>
666 <para>Trigger knowledge consistency center run.</para>
670 <title>drs options</title>
671 <para>Query or change <replaceable>options</replaceable> for NTDS Settings
672 object of a domain controller.</para>
676 <title>drs replicate <replaceable>destination_DC</replaceable> <replaceable>source_DC</replaceable> <replaceable>NC</replaceable> [options]</title>
677 <para>Replicate a naming context between two DCs.</para>
681 <title>drs showrepl</title>
682 <para>Show replication status. The <arg
683 choice="opt">--json</arg> option results in JSON output, and
684 with the <arg choice="opt">--summary</arg> option produces
685 very little output when the replication status seems healthy.
691 <para>Administer DS ACLs</para>
695 <title>dsacl set</title>
696 <para>Modify access list on a directory object.</para>
700 <title>forest</title>
701 <para>Manage Forest configuration.</para>
705 <title>forest directory_service</title>
706 <para>Manage directory_service behaviour for the forest.</para>
710 <title>forest directory_service dsheuristics <replaceable>VALUE</replaceable></title>
711 <para>Modify dsheuristics directory_service configuration for the forest.</para>
715 <title>forest directory_service show</title>
716 <para>Show current directory_service configuration for the forest.</para>
721 <para>Manage Flexible Single Master Operations (FSMO).</para>
725 <title>fsmo seize [options]</title>
726 <para>Seize the role.</para>
730 <title>fsmo show</title>
731 <para>Show the roles.</para>
735 <title>fsmo transfer [options]</title>
736 <para>Transfer the role.</para>
741 <para>Manage Group Policy Objects (GPO).</para>
745 <title>gpo create <replaceable>displayname</replaceable> [options]</title>
746 <para>Create an empty GPO.</para>
750 <title>gpo del <replaceable>gpo</replaceable> [options]</title>
751 <para>Delete GPO.</para>
755 <title>gpo dellink <replaceable>container_dn</replaceable> <replaceable>gpo</replaceable> [options]</title>
756 <para>Delete GPO link from a container.</para>
760 <title>gpo fetch <replaceable>gpo</replaceable> [options]</title>
761 <para>Download a GPO.</para>
765 <title>gpo getinheritance <replaceable>container_dn</replaceable> [options]</title>
766 <para>Get inheritance flag for a container.</para>
770 <title>gpo getlink <replaceable>container_dn</replaceable> [options]</title>
771 <para>List GPO Links for a container.</para>
775 <title>gpo list <replaceable>username</replaceable> [options]</title>
776 <para>List GPOs for an account.</para>
780 <title>gpo listall</title>
781 <para>List all GPOs.</para>
785 <title>gpo listcontainers <replaceable>gpo</replaceable> [options]</title>
786 <para>List all linked containers for a GPO.</para>
790 <title>gpo setinheritance <replaceable>container_dn</replaceable> <replaceable>block|inherit</replaceable> [options]</title>
791 <para>Set inheritance flag on a container.</para>
795 <title>gpo setlink <replaceable>container_dn</replaceable> <replaceable>gpo</replaceable> [options]</title>
796 <para>Add or Update a GPO link to a container.</para>
800 <title>gpo show <replaceable>gpo</replaceable> [options]</title>
801 <para>Show information for a GPO.</para>
806 <para>Manage groups.</para>
810 <title>group add <replaceable>groupname</replaceable> [options]</title>
811 <para>Create a new AD group.</para>
815 <title>group addmembers <replaceable>groupname</replaceable> <replaceable>members</replaceable> [options]</title>
816 <para>Add members to an AD group.</para>
820 <title>group delete <replaceable>groupname</replaceable> [options]</title>
821 <para>Delete an AD group.</para>
825 <title>group edit <replaceable>groupname</replaceable></title>
826 <para>Edit a group AD object.</para>
830 <term>--editor=EDITOR</term>
832 Specifies the editor to use instead of the system default, or 'vi' if no
833 system default is set.
840 <title>group list</title>
841 <para>List all groups.</para>
845 <title>group listmembers <replaceable>groupname</replaceable> [options]</title>
846 <para>List all members of the specified AD group.</para>
850 <title>group move <replaceable>groupname</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
851 <para>This command moves a group into the specified organizational unit
853 <para>The groupname specified on the command is the sAMAccountName.
855 <para>The name of the organizational unit or container can be
856 specified as a full DN or without the domainDN component.</para>
861 <title>group removemembers <replaceable>groupname</replaceable> <replaceable>members</replaceable> [options]</title>
862 <para>Remove members from the specified AD group.</para>
866 <title>group show <replaceable>groupname</replaceable> [options]</title>
867 <para>Show group object and it's attributes.</para>
871 <title>group stats [options]</title>
872 <para>Show statistics for overall groups and group memberships.</para>
876 <title>ldapcmp <replaceable>URL1</replaceable> <replaceable>URL2</replaceable> <replaceable>domain|configuration|schema|dnsdomain|dnsforest</replaceable> [options] </title>
877 <para>Compare two LDAP databases.</para>
882 <para>Manage NT ACLs.</para>
886 <title>ntacl changedomsid <replaceable>original-domain-SID</replaceable> <replaceable>new-domain-SID</replaceable> <replaceable>file</replaceable> [options]</title>
887 <para>Change the domain SID for ACLs.
888 Can be used to change all entries in acl_xattr when the machine's SID
889 has accidentally changed or the data set has been copied
890 to another machine either via backup/restore or rsync.</para>
894 <term>--use-ntvfs</term>
896 Set the ACLs directly to the TDB or xattr. The POSIX permissions will
897 NOT be changed, only the NT ACL will be stored.
902 <term>--service=SERVICE</term>
904 Specify the name of the smb.conf service to use. This option is
905 required in combination with the --use-s3fs option.
910 <term>--use-s3fs</term>
912 Set the ACLs for use with the default s3fs file server via the VFS
913 layer. This option requires a smb.conf service, specified by the
914 --service=SERVICE option.
919 <term>--xattr-backend=[native|tdb]</term>
921 Specify the xattr backend type (native fs or tdb).
926 <term>--eadb-file=EADB_FILE</term>
928 Name of the tdb file where attributes are stored.
933 <term>--recursive</term>
935 Set the ACLs for directories and their contents recursively.
940 <term>--follow-symlinks</term>
942 Follow symlinks when --recursive is specified.
947 <term>--verbose</term>
949 Verbosely list files and ACLs which are being processed.
957 <title>ntacl get <replaceable>file</replaceable> [options]</title>
958 <para>Get ACLs on a file.</para>
962 <title>ntacl set <replaceable>acl</replaceable> <replaceable>file</replaceable> [options]</title>
963 <para>Set ACLs on a file.</para>
967 <title>ntacl sysvolcheck</title>
968 <para>Check sysvol ACLs match defaults (including correct ACLs on GPOs).</para>
972 <title>ntacl sysvolreset</title>
973 <para>Reset sysvol ACLs to defaults (including correct ACLs on GPOs).</para>
978 <para>Manage organizational units (OUs).</para>
982 <title>ou create <replaceable>ou_dn</replaceable> [options]</title>
983 <para>Create an organizational unit.</para>
984 <para>The name of the organizational unit can be specified as a full DN
985 or without the domainDN component.</para>
989 <term>--description=DESCRIPTION</term>
991 Specify OU's description.
998 <title>ou delete <replaceable>ou_dn</replaceable> [options]</title>
999 <para>Delete an organizational unit.</para>
1000 <para>The name of the organizational unit can be specified as a full DN
1001 or without the domainDN component.</para>
1005 <term>--force-subtree-delete</term>
1007 Delete organizational unit and all children reclusively.
1014 <title>ou list [options]</title>
1015 <para>List all organizational units.</para>
1018 <term>--full-dn</term>
1020 Display DNs including the base DN.
1027 <title>ou listobjects <replaceable>ou_dn</replaceable> [options]</title>
1028 <para>List all objects in an organizational unit.</para>
1029 <para>The name of the organizational unit can be specified as a full DN
1030 or without the domainDN component.</para>
1034 <term>--full-dn</term>
1036 Display DNs including the base DN.
1041 <term>-r|--recursive</term>
1043 List objects recursively.
1050 <title>ou move <replaceable>old_ou_dn</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
1051 <para>Move an organizational unit.</para>
1052 <para>The name of the organizational units can be specified as a full DN
1053 or without the domainDN component.</para>
1057 <title>ou rename <replaceable>old_ou_dn</replaceable> <replaceable>new_ou_dn</replaceable> [options]</title>
1058 <para>Rename an organizational unit.</para>
1059 <para>The name of the organizational units can be specified as a full DN
1060 or without the domainDN component.</para>
1065 <para>Manage Read-Only Domain Controller (RODC).</para>
1069 <title>rodc preload <replaceable>SID</replaceable>|<replaceable>DN</replaceable>|<replaceable>accountname</replaceable> [options]</title>
1070 <para>Preload one account for an RODC.</para>
1074 <title>schema</title>
1075 <para>Manage and query schema.</para>
1079 <title>schema attribute modify <replaceable>attribute</replaceable> [options]</title>
1080 <para>Modify the behaviour of an attribute in schema.</para>
1084 <title>schema attribute show <replaceable>attribute</replaceable> [options]</title>
1085 <para>Display an attribute schema definition.</para>
1089 <title>schema attribute show_oc <replaceable>attribute</replaceable> [options]</title>
1090 <para>Show objectclasses that MAY or MUST contain this attribute.</para>
1094 <title>schema objectclass show <replaceable>objectclass</replaceable> [options]</title>
1095 <para>Display an objectclass schema definition.</para>
1099 <title>sites</title>
1100 <para>Manage sites.</para>
1104 <title>sites create <replaceable>site</replaceable> [options]</title>
1105 <para>Create a new site.</para>
1109 <title>sites remove <replaceable>site</replaceable> [options]</title>
1110 <para>Delete an existing site.</para>
1115 <para>Manage Service Principal Names (SPN).</para>
1119 <title>spn add <replaceable>name</replaceable> <replaceable>user</replaceable> [options]</title>
1120 <para>Create a new SPN.</para>
1124 <title>spn delete <replaceable>name</replaceable> [<replaceable>user</replaceable>] [options]</title>
1125 <para>Delete an existing SPN.</para>
1129 <title>spn list <replaceable>user</replaceable> [options]</title>
1130 <para>List SPNs of a given user.</para>
1134 <title>testparm</title>
1135 <para>Check the syntax of the configuration file.</para>
1140 <para>Retrieve the time on a server.</para>
1145 <para>Manage users.</para>
1149 <title>user add <replaceable>username</replaceable> [<replaceable>password</replaceable>]</title>
1150 <para>Create a new user. Please note that this subcommand is deprecated
1151 and available for compatibility reasons only. Please use
1152 <command>samba-tool user create</command> instead.</para>
1156 <title>user create <replaceable>username</replaceable> [<replaceable>password</replaceable>]</title>
1157 <para>Create a new user in the Active Directory Domain.</para>
1161 <title>user delete <replaceable>username</replaceable> [options]</title>
1162 <para>Delete an existing user account.</para>
1166 <title>user disable <replaceable>username</replaceable></title>
1167 <para>Disable a user account.</para>
1171 <title>user edit <replaceable>username</replaceable></title>
1172 <para>Edit a user account AD object.</para>
1176 <term>--editor=EDITOR</term>
1178 Specifies the editor to use instead of the system default, or 'vi' if no
1179 system default is set.
1186 <title>user enable <replaceable>username</replaceable></title>
1187 <para>Enable a user account.</para>
1191 <title>user list</title>
1192 <para>List all users.</para>
1196 <title>user setprimarygroup <replaceable>username</replaceable> <replaceable>primarygroupname</replaceable></title>
1197 <para>Set the primary group a user account.</para>
1201 <title>user show <replaceable>username</replaceable> [options]</title>
1202 <para>Display a user AD object.</para>
1206 <term>--attributes=USER_ATTRS</term>
1208 Comma separated list of attributes, which will be printed.
1215 <title>user move <replaceable>username</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
1216 <para>This command moves a user account into the specified
1217 organizational unit or container.</para>
1218 <para>The username specified on the command is the
1219 sAMAccountName.</para>
1220 <para>The name of the organizational unit or container can be
1221 specified as a full DN or without the domainDN component.</para>
1225 <title>user password [options]</title>
1226 <para>Change password for a user account (the one provided in
1227 authentication).</para>
1231 <title>user setexpiry <replaceable>username</replaceable> [options]</title>
1232 <para>Set the expiration of a user account.</para>
1236 <title>user setpassword <replaceable>username</replaceable> [options]</title>
1237 <para>Sets or resets the password of a user account.</para>
1241 <title>user getpassword <replaceable>username</replaceable> [options]</title>
1242 <para>Gets the password of a user account.</para>
1246 <title>user syncpasswords <replaceable>--cache-ldb-initialize</replaceable> [options]</title>
1247 <para>Syncs the passwords of all user accounts, using an optional script.</para>
1248 <para>Note that this command should run on a single domain controller only
1249 (typically the PDC-emulator).</para>
1253 <title>vampire [options] <replaceable>domain</replaceable></title>
1254 <para>Join and synchronise a remote AD domain to the local server.
1255 Please note that <command>samba-tool vampire</command> is deprecated,
1256 please use <command>samba-tool domain join</command> instead.</para>
1260 <title>visualize [options] <replaceable>subcommand</replaceable></title>
1261 <para>Produce graphical representations of Samba network state.
1262 To work out what is happening in a replication graph, it is sometimes
1263 helpful to use visualisations.</para>
1266 There are two subcommands, two graphical modes, and (roughly) two modes
1267 of operation with respect to the location of authority.</para>
1269 <refsect3><title>MODES OF OPERATION</title>
1271 <term>samba-tool visualize ntdsconn</term>
1272 <listitem><para>Looks at NTDS connections.
1277 <term>samba-tool visualize reps</term>
1278 <listitem><para>Looks at repsTo and repsFrom objects.
1283 <term>samba-tool visualize uptodateness</term>
1284 <listitem><para>Looks at replication lag as shown by the
1285 uptodateness vectors.
1290 <refsect3><title>GRAPHICAL MODES</title>
1292 <term>--distance</term>
1293 <listitem><para>Distances between DCs are shown in a matrix in
1300 <listitem><para>Generate Graphviz dot output (for
1301 ntdsconn and reps modes). When viewed using dot or
1302 xdot, this shows the network as a graph with DCs as
1303 vertices and connections edges. Certain types of
1304 degenerate edges are shown in different colours or
1305 line-styles. </para></listitem>
1309 <listitem><para>Generate Graphviz dot output as with
1310 <arg choice="opt">--dot</arg> and attempt to view it
1311 immediately using <command>/usr/bin/xdot</command>.
1318 <listitem><para>Normally,
1319 <command>samba-tool</command> talks to one database;
1320 with the <arg choice="opt">-r</arg> option attempts
1321 are made to contact all the DCs known to the first
1322 database. This is necessary for <command>samba-tool
1323 visualize uptodateness</command> and for
1324 <command>samba-tool visualize reps</command> because
1325 the repsFrom/To objects are not replicated, and it can
1326 reveal replication issues in other modes.
1333 <para>Gives usage information.</para>
1339 <title>VERSION</title>
1341 <para>This man page is complete for version &doc.version; of the Samba
1346 <title>AUTHOR</title>
1348 <para>The original Samba software and related utilities
1349 were created by Andrew Tridgell. Samba is now developed
1350 by the Samba Team as an Open Source project similar
1351 to the way the Linux kernel is developed.</para>
git.samba.org / samba.git / blob